The Protection of Personal Information Act No. 4 of 2013
(“POPIA”/”POPI”)

PRIVACY POLICY

Policy operational date

1 July 2021

Date approved by Information Officer

30 June 2021

Next policy review date

1 July 2022

The Company recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:

• keeping information securely in the right hands, and
• retention of good quality information.

Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, the Company will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.

Key risks

The Company has identified the following potential key risks, which this policy is designed to address:

• Breach of confidentiality (information being given out inappropriately);
• Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed;
• Failure to offer choice about data use when appropriate;
• Breach of security by allowing unauthorised access;
• Harm to individuals if personal data is not up to date;

Data Operator contracts.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 2.

Processing Limitation

The Company undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 9 to 12, subject to the following stipulation (Forms of Consent).

Forms of consent

The Company undertakes to gain written consent where appropriate; alternatively, a recording must be kept of verbal consent.

Nature of Personal Information

The Company has used the Data Inventory to identify all instances of personal information in the Company.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 3.

Purpose specification

The Company undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 13 and 14, subject to the following stipulation (Retention periods).

Retention periods

The Company will establish retention periods for at least the following categories of data:

• Directors
• Staff
• Customers
• Suppliers

Cookies are alphanumeric identifiers that the Company transfer to the Data Subjects computer’s hard drive through the Data Subject web browser to enable the Company systems to recognise the Data Subject browser and to automatically collect information from the Data Subject computer such as the Data Subject IP address and other details about the Data Subject computer which are automatically collected by the Company web server, operating system, and browser type, for system administration and to report aggregate information to the Company. This is statistical data about the Company users’ browsing actions and patterns and does not identify any individual.

The “Help” menu on the menu bar of most browsers will tell the Data Subject how to prevent the Data Subject browser from accepting new cookies, how to have the browser notify the Data Subject when the Data Subject receive a new cookie and how to disable cookies altogether. Additionally, the Data Subject can disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-on’s settings or visiting the website of its manufacturer. However, because cookies allow the Data Subject to take advantage of some of the Company’s essential features, the Company recommend that the Data Subject leave them turned on. If the Data Subject do leave cookies turned on, be sure to sign off when finished using a shared computer.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 4.

Further processing limitation

The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, section 15.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 5.
The Company will comply with all of the aspects of Condition 5, section 16.

Accuracy

The Company will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

• Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
• Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
• Staff who keeps more detailed information about individuals will be given additional guidance on accuracy in record keeping.

Updating

The Company will review all personal information on an annual basis.

Archiving

All Personal Information which the Data Subject provide to the Company will be held and/ or stored securely for the purpose of collection. The Data Subject’s Personal Information will be stored electronically in a database. Where appropriate, some information may be retained in hard copy. In either event, storage will be secure and audited regularly regarding the safety and the security of the information. Where data is stored electronically outside the borders of South Africa, such is done only in countries that have similar privacy laws to the Company’s own or where such facilities are bound contractually to no lesser regulations than those imposed by POPI. Once this information is no longer required, due to the fact that the purpose has been served, such Personal Information will be safely and securely archived for a period of 7 years, as per the requirements of the Companies Act, 71 of 2008, or longer, should this be required by any other law applicable in South Africa. Thereafter, all the Data Subject’s Personal Information will be permanently destroyed. Information about the Company’s members is an important part of the Company’s business and the Company do not sell it to others. The Company shares customer information only as described below.

Third Party Service Providers: The Company employs other companies and individuals to perform functions on the Company’s behalf. Examples include sending postal mail and e-mail, removing repetitive information from customer lists, analysing data, and providing marketing services. Third party service providers have access to personal information needed to perform their functions but may not use it for other purposes. Further, they must process the personal information in accordance with this privacy policy and as permitted by South African data protection legislation.

Business Transfers: As the Company continue to develop business, the Company might sell or buy or subsidiaries or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing privacy policy (unless, of course, the customer consents otherwise). Also, in the unlikely event that the Company or substantially all of its assets are acquired, personal information will of course be one of the transferred assets.

Protection of the Company and others: The Company release account and other personal information when the Company believe that such a release is appropriate to comply with the law; enforce or apply the Company customer or other agreements; or protect the rights, property or safety of the Company, users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. Obviously, however, this does not include selling, sharing or otherwise disclosing personally identifiable information from customers for commercial purposes in a way that is contrary to the commitments made in this privacy policy. With the Data Subject’s consent, other than as set out above, the Data Subject will receive notice when information about the Data Subject might go to third parties, and the Data Subject will have an opportunity to choose not to share the information.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 6.

Openness

In line with Conditions 6 and 8 of the Act, the Company is committed to ensuring that in principle Data Subjects are aware that their data is being processed and

• for what purpose it is being processed;
• what types of disclosure are likely; and
• How to exercise their rights in relation to the data.

Procedure

Data Subjects will generally be informed in the following ways:

• Policies
• Privacy Notice
• Consent Forms

Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 7, and section 19 to 22.
This section of the policy only addresses security issues relating to personal information. It does not cover security of the building, business continuity or any other aspect of security.

Specific risks

The Company has identified the following risks:

• Staff with access to personal information could misuse it.
• Staff may be tricked into giving away information, either about customers / member or colleagues, especially over the phone, through

“social engineering”.

Setting security levels

Access to information on the main the Company computer system will be controlled by function.

Security measures

The Company will ensure that all necessary controls are in place in terms of access to personal information.

Business continuity

The Company will ensure that adequate steps are taken to provide business continuity in the event of an emergency.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 8, sections 23 to 25.

Responsibility

Any subject access requests will be handled by the POPI Act Information Officer in terms of Condition 8.

Procedure for making request

Subject access requests must be in writing. All staff is required to pass on anything which might be a subject access request to the POPI Act Information Officer without delay.

Requests for access to personal information will be handled in compliance with the POPI Act and in compliance with the Promotion of Access to Information Act (PAIA), as defined in the Company PAIA Manual.

Provision for verifying identity

Where the individual making a subject access, request is not personally known to the POPI Act Information Officer their identity will be verified before handing over any information.

Charging

Fees for access to personal information will be handled in compliance with the PAIA Act.

Procedure for granting access

Procedures for access to personal information will be handled in compliance with the PAIA Act, as defined in the Company PAIA Manual.

Data Subject’s rights

The Data Subject have the right to request a copy of the personal information the Company hold about the Data Subject or to object to the processing of personal information held about the Data Subject. To do this, contact the Company at the numbers/addresses listed earlier and specify what information the Data Subject would like. The Company will take all reasonable steps to confirm the Data Subject’s identity before providing details of the Data Subject’s personal information.

The Data Subject can always choose not to provide information. If the Data Subject do not want to receive e-mail or other electronic communications and mail from the Company, tick the opt-out box in the Data Subject’s terms and conditions or let the Company know in writing if the Data Subject don’t want to receive these offers. However, please note, if the Data Subject do not want to receive legal notices from the Company, such as this privacy policy, those notices will still govern the Data Subject use of the Company services and products and it is the Data Subject’s responsibility to review them for changes.

The Data Subject have the right to ask the Company to update, correct or delete the Data Subject’s personal information. The Data Subject may do this by contacting the Company at the numbers/addresses provided earlier. The Company will take all reasonable steps to confirm the Data Subject’s identity before making changes to personal information the Company may hold about the Data Subject. The Company would appreciate it if the Data Subject would keep personal information accurate. Please update information by contacting the Company at the numbers/addresses provided earlier whenever details change.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part B, sections 26 to 33.

Processing of Special Personal Information

The Company has the policy of adhering to the process of Special Personal Information which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject.
Special personal information includes criminal behaviour relating to alleged offences or proceedings dealing with alleged offences.

Unless a general authorisation, alternatively a specific authorisation relating to the different types of special personal information applies, a responsible party is prohibited from processing special personal information.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part C, sections 34 and 35.

Processing of Personal Information of Children

The Company has the policy of adhering to the process of Special Personal Information of children. This applies to under-18 individuals, so an age check is required for all personal information records.

General authorisation concerning personal information of children only applies where under-18 are involved.

Scope

The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.

Direct Marketing, Directories and Automated Decision Making
The Company undertakes to comply with the POPI Act Chapter 8, sections 69 to 71.

Opting in

Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.

Electronic contact

Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

Scope

The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter 5, Part B.

Documentation

Information for staff is contained in this policy document and other materials made available by the Information Officer.

Induction

The Information Officer will ensure that all staff that has access to any kind of personal information will have their responsibilities outlined during their induction procedures.

Continuing training

The Company will provide opportunities for staff to explore POPI Act issues through training, team meetings, and supervisions.

Procedure for staff signifying acceptance of policy

The Company will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPI Act.

Responsibility

The Information Officer is responsible for an annual review to be completed prior to the policy anniversary date.

Procedure

The Information Officer will ensure relevant stakeholders are consulted as part of the annual review to be completed prior to the policy anniversary date.